Voice assistants can be hacked by commanding them with inaudible ultrasonic speech

From the Boing Boing Shop

Follow Us

In DolphinAttack: Inaudible Voice Commands, researchers from Zhejiang University demonstrate an attack on popular voice assistants in laptops and mobile devices from Apple, Google, Amazon, Microsoft, Samsung, and Huawei: by commanding these assistants using speech that has been shifted to ultrasonic ranges, they are able to hijack devices in public places without their owners' knowledge.

The attack owes its efficacy to the devices' use of ultrasonic for signaling to establish contact with one another, and as a means of resolving ambiguity and nuance in speech recognition. The designers of the systems have thus created software that can recognize ultrasonic voice commands -- but lacks the smarts to be alarmed at human speech that occurs in registers beyond the capacity of the human vocal apparatus.

The attack involved about $3 worth of audio hardware.

The attackers successfully issued commands to dial arbitrary phone numbers; open connections to poisoned websites; open physical, internet-connected home locks; redirect automotive navigation systems; and so on. They were able to attack devices that were "locked" and theoretically unresponsive, thanks to defaults in these systems that cause them to respond to voice commands while locked up.

9 CONCLUSION

In this paper, we propose DolphinAttack, an inaudible attack to SR
systems. DolphinAttack leverages the AM (amplitude modulation)
technique to modulate audible voice commands on ultrasonic carriers
by which the command signals can not be perceived by human.
With DolphinAttack, an adversary can attack major SR systems
including Siri, Google Now, Alexa, and etc. To avoid the abuse of
DolphinAttack in reality, we propose two defense solutions from
the aspects of both hardware and software.

Evan from Fight for the Future writes, "It seems like every day we learn more about the creepy things big tech companies are doing with our personal data. But so much is still shrouded in secrecy. That's why we're launching a new campaign calling on employees of Silicon Valley companies to blow the whistle on […]

Last year while I was on tour in Australia with my novel Walkaway, I sat down for an interview with legal scholar Rebecca Giblin (previously), whose Authors' Interest project studies how we would craft copyright (and other policies) if we wanted to benefit creators, rather than enriching corporations; we talked about the power and limits […]

Lucian's SPUDwriter (Single Purpose User Device) was designed to help him focus on creative writing after a long day of staring at a screen in his engineering job: it uses an e-ink screen and a keyboard, and only outputs via SD card or thermal printer. As a person who does all of their engineering work […]

Use a single password for every website, and you’re compromising your security. Use a different one each time, and you’re bound to lose track of them. The solution? RoboForm Everywhere, a catch-all tool that will not only manage the passwords on every site you visit but generate better ones. As a simple password database, it’s […]

Just a reminder: Print isn’t dead. And now that printers are becoming as portable as cell phones, it might be around for quite some time. Enter the MEMOBIRD Mobile Thermal Printer, a mini-printer that is versatile, portable – and most importantly, never needs a refill on ink or toner. Measuring just a few inches around, […]

What do Facebook, Twitter, YouTube and Google all have in common? Somewhere in their framework, they all use MySQL, that most versatile (and free!) of database management systems. And they’re not alone. If your company or the one you’d like to work for wrangles data (and who doesn’t?), they’re going to need someone with a […]